API Key
An API key is a unique alphanumeric token issued to a client that proves identity or authorization when included in API requests, typically via a header or query parameter; The provider generates a random, high-entropy string and stores a hash of it server-side; API keys work well for server-to-server integrations where a user OAuth flow is impractical
An API key is a unique alphanumeric token issued to a client that proves identity or authorization when included in API requests, typically via a header or query parameter. API keys are simpler to implement than OAuth flows but lack built-in expiry or user-level scoping by default.
How it works
The provider generates a random, high-entropy string and stores a hash of it server-side. The client includes the raw key in every request (for example, Authorization: Bearer sk-…). The server hashes the incoming key and compares it to the stored hash to grant or deny access.
Key facts
- No user context: Keys authenticate applications, not individual users, unless explicitly scoped
- Rotation: Keys should be rotatable without downtime to recover from leaks
- Storage risk: Keys committed to version control are a leading cause of credential exposure
For builders
API keys work well for server-to-server integrations where a user OAuth flow is impractical. Use environment variables, secrets managers, or vault services to store them, and scope keys to minimum necessary permissions.
Sources
- IETF. RFC 6749: The OAuth 2.0 Authorization Framework. datatracker.ietf.org
- IETF. RFC 7519: JSON Web Token (JWT). datatracker.ietf.org
- IETF. RFC 8725: JSON Web Token Best Current Practices. datatracker.ietf.org
- OWASP. API Security Top 10 (2023). owasp.org
- OpenID Foundation. OpenID Connect specification. openid.net
